Session 7: e-learning
AuthenticatedUser( ), 983
authentication, 856, 917, 983, 1019, 1024
application-based, 216-222
Application.cfm template, portal application example, 191
cfhttp support, 463
ColdFusion MX security framework, 216-223
creating login/registration screens, 205
exceptions, 228
HTTP, 222
passwords
required by proxy server, 910
required by SMTP server, 921
SMTP, username for, 922
specifying cookies or session variables for login information, 218, 854
user roles, 1026
username, retrieving, 1005
authorization, 1019
ColdFusion MX security framework, 223-225
creating login/registration screens, 205
Web courses
In this session, implementation of web courses using ColdFusion is discussed. As a student of this course, you should be particularly well armed with good ideas from your personal experience. It is impossible to go through a complete course in detail. The course you are attending contains for example more than 1000 files of different types organized in a structure with about 180 folders. In this session, we concentrate on discussing a few essential problems common for most Web courses.
As an application example, a hypothetical web course on Information Retrieval is used. We assume that the following list can be used as a guide for our discussion:
- Course architecture
- Authorization and authentication
- Texts
- Illustrations
- Literature
- Evaluation
You find a link to the implementation of the example at the end of the session. You can either register yourself and get your own PIN code, or you can behave as already registered with e-mail " dummy@dummy " and PIN code " 0 ".
Course architecture
Development of a web course, like any IT system, is an art . There is no absolute, proven rules for what is the right or the best approach. The more complex the objectives are, the more elaborated course structure will be required. In this example application, a folder with a flat organization of all needed files will be considered acceptable. All the files for the example is in a single folder (with the exception of a database located outside the directly accessible area and referred to as ( #session.datasource# ).
Security considerations are important only in connection with course design. We use the course application as a case for discussing authorization and authentication of users which is a common task in many applications. Along the road, we shall also make comments to other forms of security. In Figure 1 , the overall organization for the example course is depicted. The figure indicates that topics we are particularly interested in discussing are authorization, authentication and progress control.
Authorization and authentication
In mostly web courses, participation requires authorization , i.e. each participating student has been admitted by a sponsoring organization. By authorization, the participant receives some kind of identification to prove his/her right to enter the course. The requirements governing the authorization can vary from course to course. The technique of assigning the identification for proving the right to participate is a highly relevant subject to discuss in more detail.
The first template we shall discuss is the index.cfm which opens our example course scenario. It starts by a welcome text to both admitted and new, applying students. Line 3 differentiates actions for the two groups. If the caller is new , he/she is asked to go on for registration, while already registered students can proceed to the login as specified in Line 5-9.
Consider the login alternative first. The login process, Figure 2 , requires that the student types his/her e-mail address and personal PIN code which she/he received when registered. The process of checking that a student is entitled to access the course as an admitted student is referred to as the authentication .
The index.cfm template is quite ordinary and looks like this:
1. <!--- index.cfm --->
2. <h1><font color="Blue"> <font size="+3"><i>e-learning</i> Information Retrieval</font></font></h1>
3. <p>Thank you for your interest in this course on Information Retrieval. If you already have registered for the course, go on to the login. If you are new and want to join this course, we need some information from you, and you will need a personal identity number (PIN). Please click on <a href="registration.cfm">registration form.</a> </p>
4. <p>If you already are registered, please continue </p>
5. <p><b><font color="Red">Access the course with your
6. <FORM METHOD="POST" ACTION="authentication.cfm">
7. <p>PIN: <INPUT TYPE="Password" name ="submitted_pin" SIZE="17"></P>
8. <p>Click the button <INPUT TYPE="SUBMIT" NAME="response" VALUE="Submit"></p>
9. </FORM>
Line 6-7 of the template indicate that for authentication , the e-mail address and the PIN code are required. More identifiers, means a higher security, i.e. less risk for intruders. Note that the example discussed follows a more strict authentication policy than that followed by Dynamic Web Applications by requiring 2 identifiers!
Registration and authorization
If the student replies that he wants to register , the registration.cfm template is called ( Figure 3 ):
1. <!--- registration.cfm --->
2.<h2><font color="Blue">Registration form</font></h2>
3. <form action="authorization.cfm" METHOD="post">
4. <pre>
5. First name: <INPUT TYPE="text" NAME="FirstName" SIZE="30">
6. Family name: <INPUT TYPE="text" NAME="LastName" SIZE="30">
7. E-mail: <INPUT TYPE="text" NAME="Email" SIZE="30">
8. </pre>
9. <p>All boxes must be compl hardware platform, and the limitations of the web server.
In a similar way, the eted for successful processing.</p>
10. <p><INPUT TYPE="submit" VALUE="Submit"> your registration.</p>
11. </form>
The PIN can either be self-composed, i.e. the person who request registration provides his/her own password, or it is assigned by the system. Self-composed PIN s have the advantages that they may be easier for the owners to remember, and they can by special techniques (hashing) be kept secret also for the system staff. Compared with the system assigned passwords, the disadvantages of self-composed PINs are they may be easy to guess, and they can not easily serve as internal identifiers. The above template has no field for providing a self-composed PIN s indicating that we have chosen to use system assigned identifiers .
The registration.cfm template leaves the control to the authorization.cfm template which can be modified in several ways. For example, the course capacity , which is set in Line 2, will depend on a number of factors as the nature of the course, the capacity of instructor. The multiplier set in Line 3 is another parameter, which can be changed. Increasing the value of the multiplier affects the security of authentication by reducing the risk that a valid password can be found by a potential intruder. Note that the value 5 of multiplier with random PIN generation used in this example, means that a potential intruder in average must make 5 trials to hit a valid PIN value because the size of the number space from which the codes are drawn, is 5 times the capacity. Since a valid PIN number has to be combined with the associated email address, the risk is considered low enough.
This application uses the datasource #session.datasource# with a table, used_pin , which has 2 columns, email and pin . For security reasons, the database is located outside the area available from the web and in our example specified in the Application.cfm. .
The template has a CFQUERY tag named " list " with a SELECT FROM statement in Line 4. The SQL statement retrieves all values in column pin. The number of records in the table is available as the value of the variable List.Recordcount . In Line 7 is a CFIF tag test if the number of used PIN 's, i.e. the value # List.Recordcount #, already has reached the capacity limit. If so, a message about no vacant position is sent to the student. If there is still capacity, Line 10-31 specify the further processing.
1. <!--- authorization.cfm --->
2. <cfset capacity="10">
3.<cfset multiplier="5">
4. <CFQUERY NAME="list" datasource="#db#">
5. SELECT pin FROM used_pin
6. </cfquery>
7. <CFIF #list.Recordcount# EQ #capacity#>
8. <h2><font color="Red">Sorry, the course has no vacant position.</font></h2>
9. <CFELSE>
10. <CFSET test="0">
11. <cfloop condition="#test# EQ 0">
12. <CFSET temp=randomize(second(Now()))>
13. <CFSET generated_pin=#RandRange(1, #multiplier#*#capacity#)#>
14. <cfset test="1">
15. <CFLOOP QUERY="list">
16. <cfif #list.pin# EQ #generated_pin#>
17. <cfset test="0">
18. <cfbreak>
19. </cfif>
20. </cfloop>
21. <cfif #test# EQ 1>
22. <CFBREAK>
23. </cfif>
24. </cfloop>
25. <cfquery name="add_pin" datasource="db">
26. INSERT INTO used_pin(pin,email) VALUES('#generated_pin#','#email#')
27. </cfquery>
28. <cfoutput><h2><font color="Blue">Your PIN for the course</font></h2>
29. <p>You have been admitted to the course. Use the following PIN each time you log in to the course: <b>#generated_pin#</b></p>
20. </cfoutput>
31. </cfif>
The second part of the template, concerns the generation of a PIN code not previously used. A variable called test is set equal to 0 , followed by a CFLOOP block from Line 11-20. This loop runs as long as the condition "#test# EQ 0" is true. In Line 12-13, a PIN code is generated by a random generator in the range 1 to #multiplier#*#capacity#, and the variable test is set to "1". Then an inner CFLOOP block is inserted in Line 15-20 to check if the generated PIN is free and not already assigned to another student. .
The operation of this second CFLOOP block is interesting because referring to the name, " list ", of the query, it automatically loops through the query object , i.e. all the retrieved PINs, and compare in Line 16 each used PIN s with the new generated pin. If the new PIN code is found among the used pin codes, the variable test is again set to 0 , this inner CFLOOP is broken and the remainder of the outer CFLOOP in Line 21-24 is passed without any actions. The control is returned to Line 11. This continues until the inner loop is passed without being broken, which implies that the generated PIN is unused . In Line 25-27 the new student is inserted into database with e-mail address and PIN code, and in Line 28-30 a message is generated for return to the student.
In a real life course, the registration form will usually be intercepted for an off-line evaluation against other criteria as previous training and grades. Following a positive external evaluation, the PIN code will then be generated and a message sent the applicant.
Authentication
If the student logging in has submitted his e-mail address and PIN code on the form generated by the index.cfm template discussed above, the process control is transferred to the template authentication.cfm . The purpose of this template is limited to check that the submitted PIN code exists.
This template starts with setting a variable test to 0 and query the datasource for the list of all registered pairs of email and pin values. The query is named "authentication" .
1. <!--- authentication --->
2. <cfset test="0">
3. <cfset submitted_pin="#form.submitted_pin#">
4. <cfquery datasource="#session.datasource#" name="authentication">
5. SELECT pin FROM used_pin
6. </cfquery>
7. <cfloop query="authentication">
8. <cfif #pin# EQ #submitted_pin# >
9. <cfset test="1">
10. <cfbreak>
11. </cfif>
12. </cfloop>
13. <cfif #test# EQ "1">
14. <cfset session.pin=#submitted_pin#>
15. <h3><font color="Blue">Please, <a href="content.cfm">continue</a></font></h3>
16. <cfelse>
17. <h3><font color="Red">Your PIN code was not accepted.</font></h3>
18. </cfif>
As in the authorization template, this template also have a CFLOOP block in Lines 7-12 in which all retrieved PIN codes are compared with the submitted PIN . If one retrieved code matches the submitted, the variable test is set to "1" and the loop is broken. Line 13 contains the variable test. If #test# EQ "1" the authentication is positive. If the test condition is not true, Line 17 produces a message to the student that the PIN code was rejected.
The above templates demonstrate the principle. If we should implement the previously stated security policy, both the registered email address and the used PIN codes should be retrieved for each student, and compared with the submitted email address and PIN code.
List of content
After a positive authentication, template content.cfm displays a list of the course content for the student from which he/she can select a lecture ( Figure 4 ). Note that Lecture 2-4 have no links since they are non-existent in the example.
1. <!--- content.cfm --->
2. <h2><font color="Blue">Information Retrieval Course</font></h2>
3. <h1><font color="Blue">Content:</font></h1>
4. <ol>
5. <li>Lecture: <a href="text.cfm">Introduction</a></li>
6. <li>Lecture: Description and query language</li>
7. <li>Lecture: Document indexing</li>
8. <li>Lecture: File organization</li>
9. <li>Lecture: Search operation</li>
10. <li>Lecture: <a href="evaluation.cfm">Evaluation</a></li>
11. <p></p>
12. <li><a href="literature.cfm">References</a></li>
13. <li><a href="figures.cfm">Figures</a></li>
14. </ol>
The template is rather trivial and requires no further comments.
Associated with each lecture, a number of special features can be established. Access may, for example, be delayed to a certain opening date to avoid that the students rush through the course. The lecture can be finished by a test in which the student can check if he/she has read the lecture thoroughly and a pre-described test result must be achieved as a condition to continue with the next lecture. As a student of this CFMX course, you have personal knowledge about the functioning of the tests and their features. It is also easy to introduce closing dates for the lectures if wanted.
Lectures
From the list of contents, there are links to the different parts of the course. As illustration, only a few components are implemented in this example and listed below. On top of each template a CFIF tag has been included with a special condition, IsDefined('session.pin') . This tag tests if the client calling the page has been authenticated and a session.pin variable defined in Line 13 of authentication.cfm If this variable has not been defined, the control goes to CFELSE and to CFABORT at the end of the templates. This feature reduces the risk for arbitrary visits to individual pages of the course system.
Lecture 1 could look like this:
1. <!--- text.cfm --->
2. <cfif IsDefined('session.pin')>
3. <h1><font color="Blue">A COURSE IN INFORMATION RETRIEVAL</font></h1>
4. <h2><font color="Blue">Lecture 1:Introduction</font></h2>
5. <p>The topic information retrieval concerns the structure, analysis, implementation, search and dissemination of documents representing information.The purpose of an information retrieval system is to satisfy needs for information in a best possible way. </p>
6. <p>A typical modern information retrieval system is implemented in a host computer which can be accessed on internet from client computers. It is implemented with 2 sets of software, the client software and the server software.</p>
7. <p>The required client server is the basic software for working with the internet, while the server requires the general software to provide services on internet as well as specialized software for the information retrieval application. </p>
8. <p>The information retrieval application is build with a collection of documents as in an ordinary library or files as with a provider of electronic document representations as the core. To help the user to identify the documents in which he/she is interested, a set of files with meta data for the documents are developed and frequently organized in a database. In some applications, but far from all, even the electronic documents themselves can be included in the database.</p>
9. <p>To interact with the system, the user must use a query language which has been adjusted to the type of meta data in the database. The user must be able to describe the general properties of the unknown documents he/she wants to identify. On the other side, the retrieval system must be able to interprete the requests, communicate with the user for more details if necessary, and search in the system for the documents wanted. <a href="figure1.jpg">Figure 1</a> gives an overview of a retrieval system.</p>
10. <p>Depending on the users knowledge about the system, the components of the query language, the meta data for the documents included in the collection, and the composition of documents, the retrieval process may be more or less successful. To be able to compare one retrieval system application with a second, measures of performance are needed. For information retrieval, 2 measures, recall and precision, have been widely used.</p>
11. <p>If A is the subset of the documents which are relevant for a certain task expressed the query by Q, and B is the retrieved documents, the ratio (A AND B)/A is called the recall of the retrieval system for the query Q. The precision of the expressed Q for the same task is the ratio (A AND B)/B. Since the evaluation of the recall in principle assumes that the set of relevant documents in the collection is known (if it is known, no retrieval problem exists), the set A has to be estimated. Precision, on the other hand, requires no knowledge outside the retrieved set B.</p>
12. <h3><font color="Blue"><a href="literature.cfm">Literature</a></font></h3>
13. <p>Return to the <a href="content.cfm">Content</a>.</p>
14. <cfelse>
15. <CFABORT>
16. </cfif>
Note that the links to other texts, literature, figures, etc. are included as in a usual HTML page. Figure 5 shows a part of the lecture. The other session text example is Lecture 6 :
1. <!--- evaluation.cfm --->
2. <cfif IsDefined('session.pin')>
3. <h2><font color="Blue">Lecture 6: Retrieval evaluation</font></h2>
4. <p>A retrieval system can be evaluated bases on a number of criteria including its effectiveness to provide a satisfactory output, operational, maintenance and capital costs. In this lecture, we focus on the effectiveness of the system with particular reference to the 2 central concepts: recall and precision .</p>
5. <p><a href="figure2.jpg">Figure 2</a> presents the relations among the different document sets and the 2 measures. Evaluating a retrieval system with these measures requires an experiment which can be outlined by the following steps:</p>
6. <ul>
7. <li>Delimit the collection for the experiment</li>
8. <li>Define a set of retrieval queries representative for the use of the collection</li>
9. <li>Draw a random sample of the collection documents</li>
10. <li>Let experts decide how many documents in the sample are relevant for the different queries</li>
11. <li>Estimate the total number of items in the collection relevant for the different queries</li>
12. <li>Run the queries and let experts decide how many relevant items are found in each query</li>
13. <li>Compute recall and precision measures based on the estimated totals and the relevant documents from the queries</li>
14. </ul>
15. <h3><font color="Blue"><a href="literature.cfm">Literature</a></font></h3>
16. <p>Return to the<a href="content.cfm"> content</a></p>.
17. <cfelse>
18. <CFABORT>
19. </cfif>
There are several opinions about how to control the progress of students through a course depending on the author's experience and beliefs. One hypothesis is that students should not progress too fast through the lectures, and dates at which each lecture is opened, are implemented. Another hypothesis is that the learning from the current lecture should be tested before a student is permitted to advance to the next. A third hypothesis may be that deadlines and closing dates for the lectures constitute a positive learning pressure. A number of interesting hypotheses which can be tested in connection with course progress regulation.
In our example, we shall demonstrate how a simple control can be implemented by using session opening dates. Template text2.cfm demonstrates how the progress can be regulated by dating the presentations. Line 2 sets the variable open with a certain data and time. If the CFML function Now() has a greater value than #open# , the lecture is available as Lecture 2 below. If not, the caller will receive a message about the opening time in return
1. <!--- text2.cfm --->
2. <cfset open="October 22, 2001 06:00:00">
3. <cfif Now()GT #open# >
4. <h1><font color="Blue">A COURSE IN INFORMATION RETRIEVAL</font></h1>
5. <h2><font color="Blue">Lecture 2:Review of retrieval methods</font></h2>
6. <!--- Text --->
7. </cfif>
8. <cfelse>
9. <cfoutput>
10. <h2><font color="Red">Sorry, this lecture is not open before #open#</font></h2>
11. </cfoutput>
12. </cfif>
According Lines 2-3, template text2.cfm will always be open in this implementation because of the past date.
For Lecture 3 the variable open has been set to a future date in the example application, and as you can see, the template returns the message that the lecture is not open before the date set by the author.
Concluding remarks
We have in this session studied some challenges connected with implementation of a web course. The dynamics required are mainly associated with the authentication of students and the use of the course. There are several obvious research tasks associated with web courses. Web courses can be an excellent choice for implementing some topics and a bad for other. Which and why? Who are the students benefittng from a web course? Which are efficient authentication variables for a course? Is authentication really necessary and why?
Most courses have a number of structural attributes in common. It is possible to develop course generators, which permit the author to select his/her preferred structure and of course content. The Dynamic Web Application course was developed by means of a generator.
Exercises
a. In this session, a main topic is authorization and authentication. Read Chapter 8 in RBB and learn more about security. You will find that security has many aspects and there are many approaches to obtain a required security level.
b. The authentication.cfm template of this session example was limited to checking that the submitted PIN was a valid pin code. Extend the template to make a combined check of submitted email address and PIN code.
c. The content of the Information Retrieval example used in the session application of this session is primitive. Try to make your own course template manuscript. You may find that it is not difficult, but requires a large amount of work.
d. This course in Dynamic Web Applications adheres to the assumption that frequent testing (at the end of each session) gives the student a possibility to control their own learning. Design a model for how testing can be introduced in this session's application example. Which additional templates and files are required? Do you see any problems creating the templates?
Link to the session examples.
Link to the session test.
You are reminded to turn to the Assignment section, complete and submit your project proposal. You are required to both submit your proposal and pass the Test to obtain access to Session 8.
Link to the session assignment.
Links - Macromedia
Steve McKean
UH-Email
CT FORUM CF
user - enter
Steve McKean
UH-Email
CT FORUM CF
user - enter
CFMX HISTORY RESOURCES
OBJECTIVES
Implementation aspects:
